SQL Server passwords

["David Litchfield" <david () ngssoftware com>]

Hi all,
I've received many responses about my paper on SQL Server passwords
 http://www.nextgenss.com/papers/cracking-sql-passwords.pdf ] and how they
are hashed, most of those responses being along the lines of 'but only sa
can get the hashes so what is the use in knowing this?'.

Well there are two things that should be noted here.

Firstly it gives the SQL Server administrator a chance to audit their users'
password strength. This is an oft use practice by system administrators.

Secondly, and more importantly, a normal, low privileged user can exploit a
vulnerability in SQL Server to gain access to the hashes. For anyone who has
not read it yet I'd recommend reading Chris Anley's paper on 'runtime
patching'.
[ http://www.nextgenss.com/papers/violating_database_security.pdf ] This
discusses a three byte [runtime] patch that makes every login equivalent to
'sa' by exploiting a buffer overrun vulnerability. In the wake of so many
such vulnerabilities (pwdencrypt(), opendatasource(), openrowset(), etc.,
etc.) one should consider this as a potential threat. [Apply those patches a
soon as possible!]

Actually as a third and less likely option, if someone can access backup
tapes etc this may also yeild the hashes.

Cheers,
David Litchfield